CyberScotland Week returns for its eighth year during 23rd to 28th February. With the theme ‘Can’t Hack it?’ the week aims to “bring people and sectors together to share knowledge, strengthen resilience and celebrate innovation in cyber security.”

For the organisations we support, from lean security teams to overstretched IT leaders in regulated, high-pressure environments, that message couldn’t be more relevant. Over the last decade, cybercrime has become faster, noisier, and more disruptive. But the reality we see every day is that the fundamentals still prevent (or contain) the majority of incidents when they’re consistently applied.

That’s why we track the threats facing organisations in all sectors and translate what we’re seeing into practical priorities. Our latest report, the 2026 Global Cyber Risk Outlook details the current threat landscape from financially motivated cybercriminals to nation-state backed adversaries, and hacktivists – and, more importantly, what those shifts mean for the controls, behaviours, and decisions that reduce real-world risk.

What’s new in 2026?

By studying the threat landscape throughout 2025, our Threat Intelligence team made several key findings. Even with the recent, rapid advancement of artificial intelligence (AI), social engineering remains the most common way for bad actors to steal data and gain entry into IT systems. Key trends for 2026 include:

• The number of newly formed ransomware groups increased by 30% during the 12 months to the end of October 2025
• New, white-label Ransomware-as-a-Service (RaaS) platforms now enable cybercriminal groups to create their own brands
• Average ransom demands rose in most sectors, with significant jumps of 179% in financial services and 97% in manufacturing
• Cybercriminal groups are abandoning encryption in favour of pure data exfiltration for faster, lower-cost cyber-attacks
• Global vulnerability disclosures rose 21% to exceed 35,000 in the year to the end of October 2025
• First evidence of a nation-state-backed threat group leveraging Claude’s agentic capabilities to orchestrate attacks, with AI agents performing up to 90% of the intrusion activity
• Social engineering remains the most common initial access vector for high-profile intrusions.

Common Social Engineering Techniques

Vishing (Voice Phishing)

Vishing is a technique where attackers use phone-based communication to impersonate trusted entities, including as legitimate employees. It’s being advanced by deepfake technology that requires only small samples of voice data to mimic a chosen voice convincingly, thereby significantly increasing the probability of an attack being successful.

Instant Messenger Phishing

Another social engineering attack method in which cybercriminals use chat platforms, such as Microsoft Teams, to trick victims into clicking malicious links, or installing malware. This method was widely used by Russian group, Midnight Blizzard, before being adopted via organised crime groups.

Spear Phishing

This technique is a targeted form of phishing that focuses on a specific individual or organisation, often enriched by personalised information found via social media to make the attack seem more genuine. AI is sometimes used to enhance this technique by ensuring attempts are grammatically correct and tailored for specific use.

ClickFix

In a ClickFix, an attacker lures a victim into executing malicious code on their system via a fake Captcha prompt. The interaction is often initiated via spear phishing or via a typo-squatted website designed to look legitimate.

The threat of stealware

Cybercriminals sometimes employ stealware to harvest sensitive information like credentials and passwords which are often used or sold for further exploitation. Valid credentials and session data can allow attackers to gain access to victim systems by quietly blending into normal authentication flows.

Eight quick ways to counter social engineering and stealware:

Principle of least privilege: Ensure users operate with only the minimum required permissions needed to conduct their required tasks. No more, no less.

Help desk hardening: Requests for credential reset via the helpdesk for users with admin privileges should require additional investigation by engaging with user line management before password resets are issued to ensure the validity of the claim.

Strengthen user awareness and training: Employees are the primary target of social engineering, so education is critical. Training should focus on the recognition, avoidance, and reporting of manipulation tactics such as phishing and phony Captcha instances.

Phishing resistant multi-factor authentication (MFA): Traditional MFA methods like SMS codes or one-time passwords can be intercepted through fake login pages or via MFA fatigue campaigns. Phishing-resistant MFA removes that vulnerability by binding generative MFA keys to specific platforms and websites, ensuring that if a user is redirected to a fake site, the authentication fails as there are no codes to steal.

Active brand and dark web monitoring: Having awareness of dark web brand exposure can enable organisations to counter stolen credentials and sessions before they can be used in an attack by conducting actions such as password resets.

Robust password management policy: Ensuring that multiple accounts do not share the same password is critical to reducing inadvertent lateral movement across weak security environments. Passwords should be complex and unique; password managers make this simple.

Continuously review conditional access policies: Recommended password per session should not extend past three days and admin accounts should have this shortened to a max of eight hours.

Browser reduction: Organisations are recommended to limit available browsers to a select one or two thereby reducing the impact of browser vulnerabilities and easing vulnerability management efforts.

“Threat actors are no longer simply exploiting vulnerabilities – they are strategically engineering campaigns to target the interconnected nature of modern digital ecosystems,” says Quorum Cyber CEO Federico Charosky. “Despite these challenges, I’m optimistic that the tide is turning in favour of defenders. Cross-sector collaboration is strengthening, and more organisations are shifting from reactive defences to proactive resilience strategies.”

Understand the threats facing your organisation

As CyberScotland Week shines a light on practical resilience with the theme “Can’t Hack it?”, it’s a good moment to take stock of what’s really driving risk for organisations like yours in 2026, and what to prioritise next.

Download the 2026 Global Cyber Risk Outlook for free to get a clear view of the most active threats and the actions that reduce real-world impact.

You can also register for our 2026 Global Cyber Risk Outlook Webinar at 4pm GMT / 11am ET on Wednesday 25th February (during CyberScotland Week), where we’ll walk through the key findings of the report and answer questions live.

If you’d like help turning the insights into a practical, “doable” plan for your team, whether that’s tightening identity controls, improving patch and vulnerability cadence, or pressure-testing incident readiness, get in touch. We’re happy to talk through what’s most relevant for your organisation and advise what to tackle first.